On Wed, 2012-07-04 at 21:02 +0200, Sumit Bose wrote: > Hi, > > since the default range for the local domain is now created during > updates it is not necessary anymore to have duplicated code in > adtrustinstance.py. Instead of trying to create a new range the code now > only makes some sanity checks.
NACK, I think the last check is too strong. Some people may need to add special users (legacy applications, migrations, etc.. with specific IDs but they do not care at all for those to be able to get a SID/PAC. I think we should not fail but only warn that some users seem to fall out of the range. Ideally in interactive mode, we ask if the admin wants to see the list of objects falling off the ranges. And in any case ask if the user wants to proceed anyway, with a warning that those users/groups will not be usable for the cross-realm trust unless they are part of a range of IDs comprising their specific ID. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel